In this episode of The Watchtower, Ash Hunt sits down with Wade Baker - co-founder of Cyentia Institute and longtime architect of the Verizon DBIR - to dismantle the cybersecurity metrics that feel right but consistently lead programs astray. They take down "average cost per breach," expose why MTTR makes security teams look great while 99% of their vulnerabilities sit untouched, and introduce the half-life metric that actually tracks risk. Plus: why metrics are weaponized more often than they're used, and how AI agents are (finally) democratizing rigorous risk quantification.

Key Takeaways:

- Cost-per-data-record is a survey artifact — there's no linear correlation between breach cost and records lost

- MTTR only measures the vulnerabilities you remediate — so you can post a great MTTR while ignoring 99% of your environment

- Survival analysis / half-life is the better metric — it tracks burn-down against a defined finish line, not raw speed

- Think like a general, not a sniper: zero vulnerabilities is the wrong objective; the right 80% is

- Metrics are weaponized to justify budget more often than they're used to manage program effectiveness

- You don't need a stats PhD — AI agents are democratizing rigorous risk modeling

Wade Baker on LinkedIn: https://www.linkedin.com/in/drwadebaker/

Cyentia Research: cyentia.com/research

Chapters

00:00 Are we measuring the right things?

01:18 Which cybersecurity metrics are most misunderstood

02:48 The psychology of measuring what's easy

04:20 "We've got to measure something" — and the trap that creates

05:30 The real problem: security doesn't agree what "good" looks like

07:40 Sniper vs general: the thinking style CISOs need

09:28 Doing security things vs achieving security goals

10:25 The $215-per-record myth — and why it won't die

12:13 Metrics as weapons: the real reason the number survives

14:31 The needle-in-the-haystack reality of real breaches

15:45 Risk quantification was solved decades ago — in other industries

17:24 The MTTR indictment: measuring only what you fix

18:48 Survival analysis and the half-life metric

21:07 Fixed-speed decay: metrics as decision engineering

23:57 Event landscape vs threat landscape

27:19 AI agents as scenario-analysis partners

30:05 Democratizing risk modeling without a stats PhD

31:13 What security leaders should actually measure

34:15 Your metrics are not your boss's metrics

36:07 Data storytelling: testing a metric's "so what?"

37:03 What's next from Cyentia Institute

Presented by Cyera. Produced by Mission.org.

Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Dan Bowden is the Global CISO at Marsh - the world's largest insurance broker - where he protects 90,000+ employees across 130+ countries while simultaneously seeing how organizations are evaluated after cyber incidents. In this episode, Dan breaks down how regulation, insurance, and real breach data are changing the standard for what "prepared" actually means in 2026.

Dan Bowden is a seasoned security leader with a background spanning military, healthcare, and banking before joining Marsh as joint Global CISO.

Key takeaways:

- Why the gap between governance documentation and crisis culture is where most organizations fail

- How to properly engage your cyber insurance broker as a consultative security partner, not a checkbox

- What Marsh's breach data actually shows about insured companies being targeted (spoiler: the myth is busted)

- Why MFA in 2026 should be baseline - and what carriers are asking about next

- How regulatory frameworks like NYDFS are shifting from descriptive to prescriptive requirements

Guest: Dan Bowden, Global CISO, Marsh

LinkedIn: linkedin.com/in/danbowden

Chapters

0:00 Dan Bowden: Cybersecurity Is Not “Best Effort”

1:10 What a Global CISO Sees That Others Don’t

3:50 Why Companies Call Their Broker First During an Incident

5:03 What Real Incident Data Actually Teaches You

7:04 Rethinking Risk: Frequency vs Catastrophic Events

10:12 Why Cyber Risk Is Still Measured Wrong

11:39 Stop Letting the News Drive Your Security Strategy

14:32 Where Incident Response Actually Breaks Down

15:00 Governance vs Culture - What Really Happens in Crisis

18:03 How to Test Leadership Under Pressure

19:32 What Most Companies Get Wrong About Cyber Insurance

23:12 Cyber Insurance Is Bigger Than “Cyber”

24:11 Why Most Broker Relationships Fail

25:52 How Insurance Decisions Actually Get Made

27:53 Identity Is the Root of Most Attacks

29:46 MFA Is the Baseline - But Not the End

33:27 How Regulation Is Reshaping Security

37:52 Myth: Insurance Makes You a Target

41:31 The Future: Custom Cyber Insurance Models

Presented by Cyera. Produced by Mission.org.

Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

In the first episode of The Watchtower, Ash Hunt invites Jason Clark, CSO at Cyera, to dig into the hard truth that foundational security controls still fail in real environments. Together, they explore why identity and data remain unsolved, how rapidly changing enterprise tech has outpaced control design, and why AI is forcing the industry to rethink its entire foundation.

This episode is made possible by Cyera.

Chapters

0:00 Has Cybersecurity Failed?

1:22 Jason Clark - Security Built for Old Tech

2:48 Why Security Frameworks Keep Failing

4:58 The Pattern - We Can’t Keep Up - iPhone, Cloud, AI Adoption

7:47 Security Strategy Problem - No Data Visibility

10:02 Data and Identity Are Broken in Security

13:34 Identity Is a House of Cards

15:09 AI Will Break (or Fix) Cybersecurity

18:18 Rethinking Security - Systems and Data as Assets

20:39 Why Security Teams Clash with the Business

24:02 Why Risk Modeling Fails in Security

27:58 CISO Leadership Problem - No Business Influence

30:42 AI Adoption - Why Security Must Lead

33:17 The Future of Cybersecurity - Orchestrating Intelligence

34:07 Closing - What Comes Next

Presented by Cyera. Produced by Mission.org.

Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Welcome to The Watchtower.

The cybersecurity podcast exploring how identity, data, and behavior now control whether a business runs - or stops.

Hosted by former global CISO, Ash Hunt, The Watchtower pulls back the curtain on what’s actually happening behind dashboards - from fragile identity systems to the real impact of AI inside the business.

New episodes coming soon.

Presented by Cyera. Produced by Mission.org.

Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.